The present invention relates to network systems, and more particularly to analyzing and protecting network systems.
Numerous tools have been developed to aid in network management involving various aspects of a network including performance measurement, virus activity, intrusion activity, etc.
One example of a tool for handling performance measurement is a xe2x80x9cnetwork analyzer.xe2x80x9d In general, a network analyzer is a program that monitors and analyzes network traffic, detecting bottlenecks and problems. Using this information, a network manager can keep traffic flowing efficiently. A network analyzer may also be used to capture data being transmitted on a network. The term xe2x80x9cnetwork analyzerxe2x80x9d may further be used to describe a program that analyzes data other than network traffic. For example, a database can be analyzed for certain kinds of duplication. One specific example of a network analyzer is the SNIFFER(copyright) device manufactured by NETWORK ASSOCIATES, INC(copyright).
An example of a tool for monitoring virus activity is an xe2x80x9cantivirus program.xe2x80x9d As is known in the art, an antivirus program scans for known computer viruses in executable files, application macro files, disk boot sectors, etc. Generally, computer viruses are comprised of binary sequences called xe2x80x9cvirus signatures.xe2x80x9d Upon the detection of a virus signature by the antivirus program, a virus disinfection procedure may then be used to extract the harmful information from the infected code, thereby disinfecting that code. Common virus scanning software allows for boot-sector scanning upon system boot up, on-demand scanning at the explicit request of the user, and/or on-access scanning of a file when that file is accessed by the operating system or an application. One specific example of an antivirus program is the ePOLICY ORCHTESTRATOR(copyright) device manufactured by NETWORK ASSOCIATES, INC(copyright).
With respect to monitoring intrusion activity, an exemplary tool for accomplishing the same is a security application called an xe2x80x9cintrusion detection program.xe2x80x9d A variety of intrusion detection programs have been developed to detect and protect against threats to network security. As is known in the art, a common method of detecting these threats is to scan for known attacks against networked computers. These attacks can be identified by their unique xe2x80x9cattack signaturexe2x80x9d which generally consists of a string of binary or text data. Upon the detection of an attack signature, protective measures can be taken, including: sending alerts, intercepting harmful traffic, or disconnecting users who launch attacks. One specific example of an intrusion detection program is the REALSECURE(copyright) device manufactured by INTERNET SECURITY SYSTEMS(copyright).
Of course, there are numerous other types of tools adapted for monitoring and managing various other aspects of a network. For example, additional component-level network data may be collected for various purposes.
While each of the foregoing tools provides detailed information that may be individually used for a sole specific purpose, there has unfortunately been no successful attempt to leverage each of the foregoing data sources in combination for the purpose of collectively detecting threats to a network. Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is on-going, ever changing, and an increasingly complex problem.
There is thus a need to leverage a plurality of different existing tools in combination for the purpose of detecting threats to a network.
A system, method and computer program product are provided for assessing threats to a network utilizing a plurality of data sources. Initially, network data is collected from a plurality of different network data sources. Such data is then aggregated and correlated, after which it is stored. Threats to a network are then assessed utilizing the aggregated and correlated network data.
In one embodiment, the network data may include network performance data collected utilizing a network analyzer. In such case, the network performance data may include network utilization data, application response time data, and/or error rate data.
In another embodiment, the network data may include virus activity data collected utilizing an antivirus program. Still yet, the network data may include network intrusion data collected utilizing a security program. As an option, such security program may include a plurality of agents and an event collector.
In still another embodiment, the network data may include network component data collected from a plurality of components of the network. Moreover, the network data may include threshold-based network data collected utilizing a baseline monitoring application.
As an option, the assessing may include threat assessment profiling. Such threat assessment profiling may involve comparing predetermined profiles with the aggregated and correlated network data. Moreover, an alert may be generated upon successfully comparing the predetermined profiles with the aggregated and correlated network data.
As yet another option, the assessing may include threat assessment predicting. Such threat assessment predicting may involve comparing predetermined indicators with the aggregated and correlated network data. An alert may be generated upon successfully comparing the predetermined indicators with the aggregated and correlated network data. Still yet, a profile may be generated upon successfully comparing the predetermined indicators with the aggregated and correlated network data. Such additional profile may, in turn, be used during the course of the aforementioned threat assessment profiling.
In still yet another embodiment, a plurality of rules may be identified. The aforementioned assessing may then be carried out based on the rules.
A database is thus provided for assessing threats to a network utilizing a plurality of data sources. Such database is adapted for collecting network data from a plurality of different network data sources including a network analyzer, an antivirus program, a security program, etc. In use, threats to a network may be assessed utilizing the network data in the database.
Further provided is a technique for graphically displaying threats to a network utilizing a graphical user interface. Initially, network data is collected. Thereafter, the network data is compared against a plurality of profiles. An overlap between the network data and the profiles may then be graphically displayed to illustrate an extent of correlation between the network data and the known profiles.
An associated technique may be provided for displaying threats to a network. In particular, first network data collected from a first network data source may be displayed utilizing a first window. Similarly, second network data collected from a second network data source may be displayed utilizing a second window. Still yet, third network data collected from a third network data source may be displayed utilizing a third window. Thus, the first window, the second window, and the third window may be utilized for assessing threats to a network.
Still yet, another system, method and computer program product are provided for assessing threats to a network. In use, profiles indicating a sequence of actions associated with threats over time are identified. Next, network data is compared against the profiles. Threats to a network are then assessed based on the comparison.